Health Law Highlights

The Most Critical Elements of the FTC’s Health Breach Rulemaking

From Lawfare, by Justin Sherman and Devan Desai,

  • The Federal Trade Commission (FTC) is considering modifications to its Health Breach Notification Rule (HBNR), which governs how non-HIPAA-covered entities handle health data breaches. The proposed changes aim to keep up with technological advancements and trends in the health tech and data landscapes.
  • The FTC’s proposal comes amid a greater focus on health data privacy, following enforcement actions against prescription drug provider GoodRx and fertility tracking app Premom, both of which allegedly violated the HBNR by sharing sensitive health data without proper disclosures.
  • The proposed changes aim to expand federal health data breach regulations to reflect the evolving role of health tech apps, telehealth services, data brokers, and digital advertisers in collecting, aggregating, identifying, sharing, and selling Americans’ health information.
  • The FTC is looking to expand and clarify the definition of personal health record identifiable information, formally expand the definition of a breach to include unauthorized data disclosures, and clarify how the HBNR applies to mobile apps and health tech companies.
  • While the proposed changes largely serve to clarify existing policies and practices, they are viewed as crucial in improving privacy regulation, aligning with state-level health data regulations, and addressing harmful practices such as selling sensitive health data without consumers’ consent.